Procuring goods, services and stolen data continues to be disarmingly inexpensive, thus facilitating the business of cybercrime.

A recent review of 12 English- and Russian-language cybercrime markets, for example, found U.S. credit card data with CVV numbers being sold for an average of $5 to $12 each, increasing to up to $25 for records that also included the cardholder's date of birth and their bank's identity number. U.S. cards sold for less than U.K. cards, which retailed for $17 on average.

The research, conducted by the threat resistance unit at cloud security vendor Armor, found the usual array of offerings that remain commonplace on underground cybercrime markets. These include access credentials for bank checking and savings accounts, full identity packets - aka fullz - distributed denial-of-service and spamming services, stolen medical records, as well as remote desktop protocol credentials for as-yet-unhacked Windows servers. Such marketplaces are typically "darknet" sites, meaning they're hosted on the anonymizing Tor network.

Source: Armor

Some tools and services are more expensive than others. While ATM skimmers retail for an average of $500 to $1,500, and the Emotet banking Trojan retails for $1,000, ransomware-as-a-service package Ranion is available for only a $120 monthly subscription, DDoS-on-demand attacks cost just $60 per hour, 51,000 spam emails can be commissioned for $61, and access to unhacked RDP servers costs just $20, Armor reports.

Source: Armor

Over the past year, there have been some shifts in the cybercrime-as-a-service landscape. For example, stolen U.K. payment cards, with CVV, currently sell for an average of $17, compared to $22 one year ago. The firm's security researchers suspect this is due to a supply glut, "after a spate of card-skimming attacks hit hundreds of e-commerce websites, including organizations operating in the U.K. such as British Airways, Marriott, Ticketmaster and others," they write in Armor's second annual Black Market Report (see: Magecart Nightmare Besets E-Commerce Websites).

Bitcoins Fuel Illicit Sales

Despite the dollar signs on those offerings, Armor found that the vast majority of transactions continue to be conducted exclusively in bitcoins. "Bitcoin is also used as the primary payment mechanism in the case of ransomware, although there have been instances of payments being required in monero (Kirk, SpriteCoin ransomware), bitcoin cash (Thanatos ransomware), ethereum (HC7 Planetary ransomware), and Dash (Anatova ransomware)," they write.

The scale of the cybercrime underground is reflected by a December 2018 study by three Sydney, Australia-based researchers, who found $76 billion in illegal activity tied to the use of bitcoins. Their report, "Sex, Drugs, and Bitcoin: How Much Illegal Activity Is Financed Through Cryptocurrencies?" found that 46 percent of all bitcoin transactions involved illegal activity, facilitating the continuing rise of "black e-commerce" markets.

Money Mules Tap Shell Corporations

Many money mule services appear to maintain persistence and avoid having their bank accounts get shut down or seized by using shell corporations, which the cybercrime underground also facilitates, Armor reports.

"There is no shortage of scammers on the underground offering to sell sole proprietorship papers complete with an Employer Identification Number (EIN), also known as Tax Identification Number (TIN)," Armor's researchers write. "An EIN is a unique, nine-digit number assigned by the IRS to business entities operating in the U.S. for the purposes of opening a bank account or filing tax returns."

One seller, Armor found, was offering sole proprietorship papers and an EIN for about $1,600, while another was offering an EIN number and articles of incorporation for about $800. Provided that such information looked or was sufficiently legitimate, "money mules can open business bank accounts, enabling them to move larger amounts of money in and out of the account without drawing unwanted attention to their activities," Armor reports.

Medical Records Fuel ID Theft

Cybercrime forums also continue to sell stolen medical records, which get sold for the express purpose of helping to facilitate identity theft. "Most medical records contain everything one needs for identity theft: full name, address, birth date, phone number, email address, social security number, credit card number or checking account number, and emergency contact - which is often a family member," Armor's researchers write.

Source: Armor's Black Market Report

Even so, the researchers say they found far fewer medical records for sale than they anticipated, given that Privacy Rights Clearinghouse counts 266 medical organizations having been hacked so far this year, resulting in at least 23.5 million medical records having been exposed. They suspect that rather than selling medical records, many sellers first ransack the records for personally identifiable information and then sell this PII directly, without bothering to mention its origin.

Easy Remote Access via RDP

These retail for about $20 per RDP server in Europe and the U.S., rising to $25 for servers based in Japan and Australia. Remote desktop protocol is a legitimate access technique used by many organizations to provide remote access to networks and endpoints. But unless organizations lock down and carefully monitor RDP access, it can be abused by attackers to gain direct access to corporate infrastructure.

Source: Armor

In February, incident response firm Coveware reported that for the ransomware victims it was assisting, the ones that were able to trace the source of the attacks said that 85 percent of the time, it began with illicit RDP access (see Ransomware Victims Who Pay Cough Up $6,733 (on Average)).

Some intrusions his company investigates continue to trace to brute-forced or stolen RDP credentials that may result in ransomware infections, but typically only as a final, most visible stage of an attack that may have already been running for weeks or month. Before that, he says, attackers may gain remote access to a targeted environment and ransack it for valuable information, then sell the access credentials to others, unless they simply unleash crypto-locking malware themselves as a final attack-monetization move (see: Cybercrime Markets Sell Access to Hacked Sites, Databases).

As with so many aspects of the cybercrime underground today, criminals have access to a variety of inexpensive hacking options, and attackers don't appear to shy away from putting them to work.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;